Brussels / 1 & 2 February 2020


STS in Ceph Object Storage

Ceph is an open source, highly scalable, software defined storage that provides object, file and block interfaces under a unified system. Ceph Object Storage Gateway (RGW) provides a RESTful object storage interface to the Ceph Storage cluster. It provides an interface that is compatible with a large subset of AWS S3 APIs.

In this talk we discuss the implementation of a subset of the APIs of AWS Secure Token Service (STS). AWS STS is a web service which enables identity federation and cross-account access by providing temporary security credentials.

Ceph Object Storage Gateway now supports some APIs of AWS STS particularly related to web identity federation and cross-account access. The advantages of these temporary credentials are that they automatically expire after a certain duration, provide limited access (via IAM policies) to resources, are provided to the user upon request, and obviate the need for users/ applications to save permanent security credentials thereby removing a potential security loophole.

As an example consider a web application that has users and needs access to RGW S3 buckets to read/ write large files. The application can delegate identity management to a trusted third party identity provider(IDP). It can get temporary credentials from STS after authenticating with the IDP and access the required RGW S3 buckets.

Outline of the talk:

  1. Introduction to Ceph and Ceph Object Storage Gateway
  2. Current authentication mechanisms in Ceph Object Storage Gateway
  3. AWS Secure Token Service
  4. STS APIs implemented in Ceph Object Storage
  5. Advantages of using STS
  6. Example
  7. Future Work


Photo of Pritha Srivastava Pritha Srivastava